2  *  Copyright (C) 2021 - This file is part of libecc project
24  * based on libecc arithmetic primitives, as described in the ISO14888-3
44  * All-in-all, this piece of code can be useful in some contexts, or risky to
45  * use in other sensitive ones where advanced side-channels or fault attacks
113                 buf[i - shift] = buf[i];  in buf_lshift()
118                 buf[buflen - i] = 0;  in buf_lshift()
135 	/* alpha is the bit length of p, beta is the bit length of q */  in kcdsa_sign()
148 	/* This is a bit too much for stack space, but we need it for  in kcdsa_sign()
170 	p = &(priv->p);  in kcdsa_sign()
171 	q = &(priv->q);  in kcdsa_sign()
172 	g = &(priv->g);  in kcdsa_sign()
173 	x = &(priv->x);  in kcdsa_sign()
181 	/* Let alpha be the bit length of p */  in kcdsa_sign()
183 	/* Let beta be the bit length of q */  in kcdsa_sign()
191 	 * The signature size is either "gamma" + beta or 2 * beta  in kcdsa_sign()
244 		ret = buf_lshift(pi_buf, (u16)BYTECEIL(alpha), (u16)(BYTECEIL(alpha) - block_size)); EG(ret, err);  in kcdsa_sign()
262 		ret = buf_lshift(hash, hlen, (u16)(hlen - BYTECEIL(beta))); EG(ret, err);  in kcdsa_sign()
267 		ret = buf_lshift(pi_buf, (u16)BYTECEIL(alpha), (u16)(BYTECEIL(alpha) - block_size)); EG(ret, err);  in kcdsa_sign()
273 		ret = buf_lshift(hash, hlen, (u16)(hlen - BYTECEIL(beta))); EG(ret, err);  in kcdsa_sign()
292          * In case of blinding, we compute b^-1 with  in kcdsa_sign()
299 	/* Compute s = x (k - v) mod q  */  in kcdsa_sign()
350 	/* alpha is the bit length of p, beta is the bit length of q */  in kcdsa_verify()
359 	/* This is a bit too much for stack space, but we need it for  in kcdsa_verify()
376 	p = &(pub->p);  in kcdsa_verify()
377 	q = &(pub->q);  in kcdsa_verify()
378 	g = &(pub->g);  in kcdsa_verify()
379 	y = &(pub->y);  in kcdsa_verify()
387 	/* Let alpha be the bit length of p */  in kcdsa_verify()
389 	/* Let beta be the bit length of q */  in kcdsa_verify()
397 	 * The signature size is either "gamma" + beta or 2 * beta  in kcdsa_verify()
409 	ret = _os2ip(&s, sig + curr_rlen, (u16)(siglen - curr_rlen)); EG(ret, err);  in kcdsa_verify()
428 		ret = buf_lshift(pi_buf, (u16)BYTECEIL(alpha), (u16)(BYTECEIL(alpha) - block_size)); EG(ret, err);  in kcdsa_verify()
443 		ret = buf_lshift(pi_buf, (u16)BYTECEIL(alpha), (u16)(BYTECEIL(alpha) - block_size)); EG(ret, err);  in kcdsa_verify()
449 		ret = buf_lshift(hash, hlen, (u16)(hlen - BYTECEIL(beta))); EG(ret, err);  in kcdsa_verify()
488 		ret = buf_lshift(hash, hlen, (u16)(hlen - BYTECEIL(beta))); EG(ret, err);  in kcdsa_verify()
493 	ret = (cmp != 1) ? -1 : 0;  in kcdsa_verify()
516 	/* This example is taken from ISO14888-3 KCDSA (Appendix F "Numerical examples" */  in main()
524 0x32, 0x33, 0x44, 0x4F, 0x98, 0x76, 0x3C, 0x5A, 0x1E, 0x82, 0x9C, 0x76, 0x4C, 0xF3, 0x6A, 0xDB, 0x5…  in main()
532 …D, 0xFD, 0x1B, 0xE7, 0xFE, 0xE5, 0x46, 0x50, 0xF2, 0x2A, 0x3B, 0xB9, 0x97, 0x53, 0x7F, 0x32, 0xCC,   in main()
557 0x58, 0x2F, 0x76, 0xA2, 0xF2, 0x2B, 0x8B, 0x1B, 0x32, 0x23, 0x0B, 0xC5, 0x8F, 0x06, 0xB7, 0x68, 0xF…  in main()
575 	u8 sig[28*2] = { 0 };  in main()
580 	/* This example is taken from ISO14888-3 KCDSA (Appendix F "Numerical examples" */  in main()
588 0x32, 0x33, 0x44, 0x4F, 0x98, 0x76, 0x3C, 0x5A, 0x1E, 0x82, 0x9C, 0x76, 0x4C, 0xF3, 0x6A, 0xDB, 0x5…  in main()
596 …D, 0xFD, 0x1B, 0xE7, 0xFE, 0xE5, 0x46, 0x50, 0xF2, 0x2A, 0x3B, 0xB9, 0x97, 0x53, 0x7F, 0x32, 0xCC,   in main()
621 0x58, 0x2F, 0x76, 0xA2, 0xF2, 0x2B, 0x8B, 0x1B, 0x32, 0x23, 0x0B, 0xC5, 0x8F, 0x06, 0xB7, 0x68, 0xF…  in main()
639 	u8 sig[28*2] = { 0 };  in main()
644 	/* This example is taken from ISO14888-3 KCDSA (Appendix F "Numerical examples" */  in main()
654 0xF4, 0x00, 0xC4, 0x2B, 0xA0, 0xC9, 0x94, 0x0A, 0x32, 0x60, 0x04, 0x43, 0x3B, 0x6D, 0x30, 0x01, 0x2…  in main()
656 0x58, 0x41, 0xF1, 0x98, 0xEB, 0xE4, 0x32, 0x18, 0x26, 0x39, 0x61, 0x6F, 0x6A, 0x7F, 0x9B, 0xD7, 0x4…  in main()
671 0xE0, 0x26, 0xF1, 0xF3, 0x87, 0x13, 0x37, 0x49, 0xA4, 0xB1, 0xBB, 0xA4, 0xC2, 0x32, 0x52, 0xA4, 0xC…  in main()
678 …D, 0x51, 0x50, 0x9F, 0x97, 0x4D, 0x87, 0x8B, 0x48, 0x2D, 0x2A, 0xD2, 0xED, 0x32, 0xBE, 0x19, 0x05,   in main()
690 0x83, 0x91, 0xC2, 0x32, 0x07, 0x8D, 0xB0, 0x5A,   in main()
697 0xD4, 0x15, 0x33, 0xA9, 0x55, 0x8A, 0xB9, 0x32, 0x0A, 0x15, 0x4C, 0xAE, 0xCC, 0x54, 0x4E, 0x43, 0x0…  in main()
718 	u8 sig[32*2] = { 0 };  in main()
730 	 * NOTE: the double parentheses are here to handle -Wunreachable-code  in main()
734 		ext_printf("  => Please recompile libecc with EXTRA_CFLAGS=\"-DUSER_NN_BIT_LEN=4096\"\n");  in main()
736 …ext_printf("     Then recompile the current examples with the same EXTRA_CFLAGS=\"-DUSER_NN_BIT_LE…  in main()
749 …ret = kcdsa_sign(&priv, msg, sizeof(msg)-1, nonce, sizeof(nonce), sig, sizeof(sig), kcdsa_hash); E…  in main()
753 	ret = kcdsa_verify(&pub, msg, sizeof(msg)-1, sig, sizeof(sig), kcdsa_hash);  in main()